In the recent past, similar attack cases hit this industry, such as the MartyMCFly case, where the attackers weaponized their emails with QasarRAT payloads. Instead, in this case, Cybaze-Yoroi ZLab detected the usage of multiplatform Java malware.

Technical analysis

A preliminary analysis of the two malicious email waves shows no common strict indicators: the smtp infrastructure detected on the 16th and 17th is different from the 21tst one, the attachment type didn’t match, in fact, the first ones contained .jar attachments, the second ones ZIP archives and JS scripts, and the email theme was different too.

In detail, the first email wave has been prepared to simulate a purchase order, trying to impersonate administrative personnel of an italian company operating in the Hydraulic and Lifting sectors, “Difast Srl”. These messages were written in Italian.

The second email wave, instead, was not Italian speaking anymore. This time the attacker were trying to impersonate a German logistic company, “Dederich Spedition”, simulating another kind of purchase order communication.

However, we figured out these two email waves were linked to the same attacker.

Dissecting the Stage1

The following attachments have been analyzed by Cybaze-Yoroi Zlab team:

The first two malware samples were attached to the suspicious emails sent since 16th January. The last was embedded into the 21st January emails.

Analyzing in detail the first two JAR archives, it’s possible to see the source code is the same, except for name of the declared classes. Thus, the analysis are conducted only on one of them.

Figure 2 – Comparison between two jar file dropper

Differently from other ones, the JS file has a different structure how visible in the following figure.

Figure 3 – Code snippet of js file dropper

Despite the different structures of code and programming languages, all the dropper samples have the same encoded payload strings.

The string labeled with the variable name “duvet” hides another layer of code. The obfuscation method is quite easy: just replace the “#@>” character with “m”, and convert all from base64. The results of decryption is visible in the following figure:

Table 4 – First step decryption of base64 encoded string

In the previous code snippet, a malware routine checks the existence of the Java environment on the victim machine: if it is not installed it downloads the JRE environment from an external location, a potentially compromised third party website “hxxp://www[.thegoldfingerinc[.]com/images/jre.zip”.

Figure 5 – Open directory used by malware to download jre.zip component

After downloading the JRE archive, the malware installs it on the victim machine. At this point, the malware triggers the persistence mechanism and sets the typical “CurrentVersion\Run” registry key.

Figure 7 – Register key setted by the malware

After many deobfuscation rounds of the nested base64 strings recovered, the final results is:

Figure 8 – result of decrypted code

The “longText” variable hides the final payload: another .jar file. Instead, decoding the variable “longText1”, we retrieved the following code snippet:

Figure 9 – fake listener on localhost setted by the malware in case of evasion

This code, able to create a localhost listener or a sort of proxy on port 7755, is actually unused by the other part of the RAT malware.

Converging to the Java RAT Payload

As anticipated before, the “longText” variable encodes a JAR executable containing the infamous, multi-platform (Win/macOS), Adwind/JRat malware: a Remote Access Tool well known to the InfoSec community.

The structure of the code seen in the above figure, indicates the fact that it is the canonical Adwind/JRat malware, containing the “JRat.io” false flag.

Figure 10 – Structure of JRat malware

Finally, we extrapolated the configuration of the RAT payload, the JSON object reported in the following snippet.

{

“NETWORK”:[

{

“PORT”:9888,

“DNS”:”185.244.30.93″

}

],

“INSTALL”:true,

“MODULE_PATH”:”KXA/Gzd/Sb.Po”,

“PLUGIN_FOLDER”:”vuVCbHOEGdl”,

“JRE_FOLDER”:”bvDMbv”,

“JAR_FOLDER”:”oJYFGyiYDKG”,

“JAR_EXTENSION”:”gHPrve”,

“ENCRYPT_KEY”:”PqKOsNWuSwYdlCTuCJPnAGXoL”,

“DELAY_INSTALL”:2,

“NICKNAME”:”MANUEL1986″,

“VMWARE”:false,

“PLUGIN_EXTENSION”:”xSgaW”,

“WEBSITE_PROJECT”:”https://jrat.io”,

“JAR_NAME”:”GErbOAiLUBf”,

“JAR_REGISTRY”:”NVxqGXNfpjm”,

“DELAY_CONNECT”:2,

“VBOX”:false

}

The remote destination address 185.244.30.93, belonging to “Stajazk VPN” services, hosts the control server reachable on port tcp/9888. Also, the configuration reveal the nickname field containing the string “MANUEL1986”.

The usage of the VPN service hides the real location of the attacker, however, the specific IP isn’t new to the threat intel community, it has been abused since october 2018. Particularly interesting is the presence of the No-IP domain “manuel.hopto.org”: this domain also resolved Nigerian IP addresses of the 37076-EMTS-NIGERIA-AS, and and the Italian AS1267 back in 2012-2014.

Figure 11 – “manuel.hopto.org” last DNSs of C2 of JRat

Conclusions

The analyzed case shows how threat actors may quickly vary attack techniques and artifact characteristics, trying to masquerade their intent by making harder to track their attempts. Proving the investigation capabilities of a threat research team are fundamental into a modern cyber security paradigm.

The specific attack waves are not likely related to the MartyMcFly campaign discovered a few months.

Further details, including IoCs and Yara Rules, are reported in the analysis published on the Yoroi blog.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.